***Update 31-MAR-2011***

The purpose of this update is describe the failed attempt on one reseller user account to access the certificate ordering platform on 26-MAR-2011.

What didn't Happen

Our CA infrastructure was not compromised.

Our keys in our HSMs were not compromised.

No certificates have been fraudulently issued.

The attempt to fraudulently access the certificate ordering platform to issue a certificate failed.

What Happened

Comodo detected and thwarted an intrusion into a reseller user account on 26-MAR-2011. The new controls implemented by Comodo following the incident on 15-MAR-2011 removed any risk of the fraudulent issue of certificates. We believed the attack was from the same perpetrator as the incident on 15-MAR-2011.

A second issue associated with a second reseller was initially detected and reported by Comodo. After further investigation, Comodo has determined that this was in fact a login error on the part of the reseller.

Report of incident on 15-MAR-2011

An RA suffered an attack that resulted in a breach of one
user account of that specific RA.

This RA account was then used fraudulently to issue 9
certificates (across 7 different domains).

All of these certificates were revoked immediately on
discovery.

Monitoring of OCSP responder traffic has not detected any
attempted use of these certificates after their revocation.

What didn’t Happen

No other RA was compromised. No other RA user accounts were
compromised.

What Happened

One user account in one RA was compromised.

The attacker created himself a new userID (with a new
username and password) on the compromised user account.

The attack came from several IP addresses, but mainly from
Iran.

IP
Address Location

IP
Address

212.95.136.18

City

Tehran

State
or Region

Tehran

Country

Iran,
Islamic Republic of

ISP

Pishgaman
TOSE Ertebatat Tehran Network.

Latitude
& Longitude

35.696111
51.423056

The attacker was well prepared and knew in advance what he
was to try to achieve. He seemed to have a list of targets that he knew he
wanted to obtain certificates for, was able quickly to generate the CSRs for
these certificates and submit the orders to our system so that the certificates
would be produced and made available to him.

Although they requested 9 certificates we do not know if
they received all of these certificates.

We know that they definitely received one of the
certificates.

All certificates were revoked immediately on discovery.

Our systems indicate that when this one certificate was first
tested it received a ‘revoked’ response from our OCSP responders.

The site in Iran on which the certificate was tested quickly
became unavailable.

We immediately got in touch with the principal browsers and domain
owners and alerted them to what had happened.

There was a coordinated effort for a responsible disclosure.

All relevant government authorities were informed and
involved.

The RA account in question has been suspended pending on-going
forensic investigation.

We immediately introduced new controls in the wake of this
new threat to the authentication platform.

Our interpretation

The circumstantial evidence suggests that the attack
originated in Iran.

The perpetrator has focussed simply on the communication
infrastructure (not the financial infrastructure as a typical cyber-criminal
might).

The perpetrator can only make use of these certificates if
it had control of the DNS infrastructure.

The perpetrator has executed its attacks with clinical
accuracy.

The Iranian government has recently attacked other encrypted
methods of communication.

All of the above leads us to one conclusion only:- that this
was likely to be a state-driven attack.